Agreed, about as secure as you can make NT. However, your post like all
the rest completely miss the point of Paul's post and my follow-up. I've
avoided the religious war as best possible but poor Paul has carried the
brunt way too long (Hey Paul, now I'm glad you beat me to the send button,
see what you get for being first :-).
The basic comments made by us (Paul, jump in if I'm lying) were that a
stripped down NT system contains more code than a stripped down UNIX system
(that ease of use GUI costs you there). More code implies more potential
SOFTWARE bugs, not config bugs, not hardware bugs, not the idiot forgot to
plug it in bugs. ASSUME the same level of personnel on each platform, IE
the absolute best in the world on that platform, assume the exact same
firewall configured by the best in the world for that firewall on that
platform. NT has more code, NT has more POTENTIAL vunerabilities. Add to
that, NT's code base has less miles on it in a 'connected to the rest of
the world' environment, not at the desktop in a nice safe protected office
but on the net (unix has been there for ohhh say 20-30 years, like pre IBM
PC, NT can't beat that but more importantly can't come close). Less miles
imply that more of the bugs in the original ship have yet to be found
(assumption over time the bulk of the bugs are found and fixed). Add to
that the architecture of NT runs more code in kernel than a stripped Unix,
assumption Kernel bugs are not where you want security problems due to
access issues (smaller kernel implies less GOD level access bugs). Add to
that MS ships service packs that tend to turn on stuff you have
deliberately turned off (not exactly a code/bug level issue but a
potentially bad thing in spades).
Now add to that the potential argument that the bulk of the unix source
related to networking is open source and receives external peer review
outside of the vendor's control. Assumption open source accelerates the
bug fix/find process (either because the white hats see and report or the
black hats see and exploit). Issue NT's 'short time' in the field and
closed source imply that line for line it PROBABLY has more bugs than the
Unix open source code base with extensive time in the field.
Pick and one of the above assumptions and toss it out, in fact probably any
two then draw a conclusion. Our conclusion, based on the assumptions that
UNIX PROBABLY has less 'bugs per line' due to the open source and time in
grade and the fact that NT has more of those potentially less reliable
lines (especially in the kernel), is that a choice between UNIX and NT
based on the underlying code base favors UNIX.
Neither Paul nor I have ever to my knowledge argued that an idiot
configuring a UNIX box is a better choice than an expert configuring an NT
box. Neither of us has argued that NT should never be used as a firewall
platform (in fact I've recommended it in some cases, see the idiot vs. the
expert comment). It is not a religious issue for me, I use both. I doubt
from previous posts that it is a religious issue for Paul. It IS an issue
of security vs. cost. A company that claims it wants the best security
possible and then complains that UNIX guys are hard to find, cost too much,
or 'I can let the office manager manage the NT firewall' are missing the
point. You can choose the ostrich security model, but we tried to
recommend you make an informed decision based on the trade offs (security
vs. cost).
NOTE: No one has seemed to refute that a stripped NT has more lines of
code than a stripped UNIX or that more lines implies potentially more bugs
and that less time in grade is better than more or that closed source is
better than open source. Those are the technical merits of the case we
stated. Like several people stated, argue the technical points not the
religious sermon. If you can't/won't refute the technical merit please let
this topic die, it is no longer serving a point, religion belongs in
whatever your concept of 'church' is not in mailing lists.
On Date: Sat, 19 Jun 1999 20:58:47 -0400 "Don Kelloway"
>
>I thought the purpose of this particular thread was to discuss the pro's and
>the con's of installing a firewall onto a PC running NT4? It has since
>mushroomed to include topics of conversation where it's being discussed as
>an insecure solution as a desktop op/sys. Of which I'm not going to contest
>that an out of the box NT4 install is insecure. But in an effort to get the
>thread back to discussing the implementation of a firewall solution on NT4.
>What is the opinion with regards to doing the following?
>
>1. Install NT4 as a "stand-alone" server using NTFS. Do not install IIS, no
>add-on optional applications.
>2. Install a 2nd NIC and insure that "IP forwarding" is not enabled.
>3. Apply SP3 (at a min). Reboot
>4. Apply the appropriate registry tweaks to tighten it further.
>5. Go to Network Properties | Protocols and remove all but the TCP/IP
>protocol.
>6. Click TCP/IP protocol, don't use WINs, don't use LMHOSTS, don't use DNS.
>7. Go to Bindings and completely "unbind" the 2nd NIC. Reboot.
>8. Go back to Network Properties | Services, remove all of them. This
>includes Workstation, Server, everything... Reboot
>9. Then go to Control Panel | Services and set the Startup option for
>everything 'cept Event Log, Plug and Play, and RPC to "disabled". Reboot
>10. Install a firewall, one that binds it's *own* IP stack to the external
>NIC.
>
>Optional step for those who are concerned about "services being turned back
>on" (although such would require local access) . Open NT Explorer and delete
>everything possible from the WinNT, WinNT\System and WinNT\System32
>directory and subdirectory structures. There's quite a bit that can be
>deleted without any ill effect. I'm talking about EXEs, HLPs, DLLs, etc.
>Experience was my teacher...
>
>After the firewall's security plan has appropriately been configured. Shut
>the system down. Afterwards, and if this hasn't already been done, open the
>box and unplug the fdd cable from the sysboard. Reboot the box, go to the
>CMOS setup and kill APM, serial and parallel communications, disable fdd and
>the CD-ROM. Insure that the CMOS setup is pword protected. Reboot and leave
>the system at the NT login prompt.
>
>Personally, I think this is a damn secure system. Would anyone care to
>disagree and point out any insecurities in the above?
>
>Best Regards, Donald Kelloway
>http://www.commodon.com
>
>
Dana Nowell Home: mailto:[EMAIL PROTECTED]
Cornerstone Software Inc. Work: mailto:[EMAIL PROTECTED]
MIME attachments preferred, BINHEX and uuencoded acceptable.
The opinions above are free, remember you get what you pay for.
The company doesn't speak for me and I don't speak for them.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
